Skip to content

Commit

Permalink
feat: support exclude kinds/namespaces and include kinds/namespaces
Browse files Browse the repository at this point in the history 
Signed-off-by: chenk <[email protected]>
  • Loading branch information
@chen-keinan
chen-keinan committed Mar 14, 2024
1 parent 71da44f commit 4e0f136
Show file tree
Hide file tree
Showing 4 changed files with 80 additions and 26 deletions.
16 changes: 8 additions & 8 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ require (
github.com/aquasecurity/trivy-aws v0.8.0
github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
github.com/aquasecurity/trivy-kubernetes v0.6.3
github.com/aquasecurity/trivy-kubernetes v0.6.4-0.20240314114133-fa3b568ef471
github.com/aquasecurity/trivy-policies v0.10.0
github.com/aws/aws-sdk-go-v2 v1.25.2
github.com/aws/aws-sdk-go-v2/config v1.27.4
Expand Down Expand Up @@ -114,7 +114,7 @@ require (
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
google.golang.org/protobuf v1.32.0
gopkg.in/yaml.v3 v3.0.1
k8s.io/api v0.29.1
k8s.io/api v0.29.2
k8s.io/utils v0.0.0-20231127182322-b307cd553661
modernc.org/sqlite v1.28.0
)
Expand Down Expand Up @@ -176,7 +176,7 @@ require (
github.com/antchfx/xpath v1.2.3 // indirect
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go v1.49.21 // indirect
github.com/aws/aws-sdk-go v1.50.35 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.1 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.2 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2 // indirect
Expand Down Expand Up @@ -403,14 +403,14 @@ require (
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
k8s.io/apiextensions-apiserver v0.29.0 // indirect
k8s.io/apimachinery v0.29.1 // indirect
k8s.io/apimachinery v0.29.2 // indirect
k8s.io/apiserver v0.29.0 // indirect
k8s.io/cli-runtime v0.29.0 // indirect
k8s.io/client-go v0.29.0 // indirect
k8s.io/component-base v0.29.0 // indirect
k8s.io/cli-runtime v0.29.2 // indirect
k8s.io/client-go v0.29.2 // indirect
k8s.io/component-base v0.29.2 // indirect
k8s.io/klog/v2 v2.120.0 // indirect
k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
k8s.io/kubectl v0.29.0 // indirect
k8s.io/kubectl v0.29.2 // indirect
lukechampine.com/uint128 v1.2.0 // indirect
modernc.org/cc/v3 v3.40.0 // indirect
modernc.org/ccgo/v3 v3.16.13 // indirect
Expand Down
32 changes: 16 additions & 16 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -349,8 +349,8 @@ github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d h1:fjI9mkoTU
github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d/go.mod h1:cj9/QmD9N3OZnKQMp+/DvdV+ym3HyIkd4e+F0ZM3ZGs=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
github.com/aquasecurity/trivy-kubernetes v0.6.3 h1:Hmo0pefXRsyVYsii62WUQyt3xMHjm37ipPESeWM/LNA=
github.com/aquasecurity/trivy-kubernetes v0.6.3/go.mod h1:v6B8SO2ep718ccGbbjhpzMn6p27IijS+dMb+MeYz3jQ=
github.com/aquasecurity/trivy-kubernetes v0.6.4-0.20240314114133-fa3b568ef471 h1:LYPxvRCuJMaf17+8BkiHoFuO6vj6HjzdEJxsC4BVEGs=
github.com/aquasecurity/trivy-kubernetes v0.6.4-0.20240314114133-fa3b568ef471/go.mod h1:rMvXfOG6anW/9F4vhv4gN9NPkS6ixurfXtYujUPrSvo=
github.com/aquasecurity/trivy-policies v0.10.0 h1:QONOsIFi6+WyB+7NGMBQeCgMFcRg6RV9dTBBpeOFDxU=
github.com/aquasecurity/trivy-policies v0.10.0/go.mod h1:7WU0GTUqtQxqQ+FV3JAy7lskQQZU6lp7Mz1i8GEapFw=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
Expand All @@ -366,8 +366,8 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
github.com/aws/aws-sdk-go v1.44.122/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
github.com/aws/aws-sdk-go v1.49.21 h1:Rl8KW6HqkwzhATwvXhyr7vD4JFUMi7oXGAw9SrxxIFY=
github.com/aws/aws-sdk-go v1.49.21/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
github.com/aws/aws-sdk-go v1.50.35 h1:llQnNddBI/64pK7pwUFBoWYmg8+XGQUCs214eMbSDZc=
github.com/aws/aws-sdk-go v1.50.35/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
github.com/aws/aws-sdk-go-v2 v1.25.2 h1:/uiG1avJRgLGiQM9X3qJM8+Qa6KRGK5rRPuXE0HUM+w=
github.com/aws/aws-sdk-go-v2 v1.25.2/go.mod h1:Evoc5AsmtveRt1komDwIsjHFyrP5tDuF1D1U+6z6pNo=
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.1 h1:gTK2uhtAPtFcdRRJilZPx8uJLL2J85xK11nKtWL0wfU=
Expand Down Expand Up @@ -2446,32 +2446,32 @@ honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo=
k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ=
k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8=
k8s.io/api v0.29.1 h1:DAjwWX/9YT7NQD4INu49ROJuZAAAP/Ijki48GUPzxqw=
k8s.io/api v0.29.1/go.mod h1:7Kl10vBRUXhnQQI8YR/R327zXC8eJ7887/+Ybta+RoQ=
k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A=
k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0=
k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0=
k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc=
k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc=
k8s.io/apimachinery v0.29.1 h1:KY4/E6km/wLBguvCZv8cKTeOwwOBqFNjwJIdMkMbbRc=
k8s.io/apimachinery v0.29.1/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU=
k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8=
k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU=
k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU=
k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM=
k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q=
k8s.io/apiserver v0.29.0 h1:Y1xEMjJkP+BIi0GSEv1BBrf1jLU9UPfAnnGGbbDdp7o=
k8s.io/apiserver v0.29.0/go.mod h1:31n78PsRKPmfpee7/l9NYEv67u6hOL6AfcE761HapDM=
k8s.io/cli-runtime v0.29.0 h1:q2kC3cex4rOBLfPOnMSzV2BIrrQlx97gxHJs21KxKS4=
k8s.io/cli-runtime v0.29.0/go.mod h1:VKudXp3X7wR45L+nER85YUzOQIru28HQpXr0mTdeCrk=
k8s.io/cli-runtime v0.29.2 h1:smfsOcT4QujeghsNjECKN3lwyX9AwcFU0nvJ7sFN3ro=
k8s.io/cli-runtime v0.29.2/go.mod h1:KLisYYfoqeNfO+MkTWvpqIyb1wpJmmFJhioA0xd4MW8=
k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y=
k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k=
k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0=
k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8=
k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38=
k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg=
k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA=
k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk=
k8s.io/component-base v0.20.4/go.mod h1:t4p9EdiagbVCJKrQ1RsA5/V4rFQNDfRlevJajlGwgjI=
k8s.io/component-base v0.20.6/go.mod h1:6f1MPBAeI+mvuts3sIdtpjljHWBQ2cIy38oBIWMYnrM=
k8s.io/component-base v0.29.0 h1:T7rjd5wvLnPBV1vC4zWd/iWRbV8Mdxs+nGaoaFzGw3s=
k8s.io/component-base v0.29.0/go.mod h1:sADonFTQ9Zc9yFLghpDpmNXEdHyQmFIGbiuZbqAXQ1M=
k8s.io/component-base v0.29.2 h1:lpiLyuvPA9yV1aQwGLENYyK7n/8t6l3nn3zAtFTJYe8=
k8s.io/component-base v0.29.2/go.mod h1:BfB3SLrefbZXiBfbM+2H1dlat21Uewg/5qtKOl8degM=
k8s.io/cri-api v0.17.3/go.mod h1:X1sbHmuXhwaHs9xxYffLqJogVsnI+f6cPRcgPel7ywM=
k8s.io/cri-api v0.20.1/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI=
k8s.io/cri-api v0.20.4/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI=
Expand All @@ -2484,8 +2484,8 @@ k8s.io/klog/v2 v2.120.0/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM=
k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=
k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
k8s.io/kubectl v0.29.0 h1:Oqi48gXjikDhrBF67AYuZRTcJV4lg2l42GmvsP7FmYI=
k8s.io/kubectl v0.29.0/go.mod h1:0jMjGWIcMIQzmUaMgAzhSELv5WtHo2a8pq67DtviAJs=
k8s.io/kubectl v0.29.2 h1:uaDYaBhumvkwz0S2XHt36fK0v5IdNgL7HyUniwb2IUo=
k8s.io/kubectl v0.29.2/go.mod h1:BhizuYBGcKaHWyq+G7txGw2fXg576QbPrrnQdQDZgqI=
k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk=
k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
k8s.io/utils v0.0.0-20231127182322-b307cd553661 h1:FepOBzJ0GXm8t0su67ln2wAZjbQ6RxQGZDnzuLcrUTI=
Expand Down
47 changes: 47 additions & 0 deletions pkg/flag/kubernetes_flags.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,27 @@ var (
ConfigName: "kubernetes.exclude.nodes",
Usage: "indicate the node labels that the node-collector job should exclude from scanning (example: kubernetes.io/arch:arm64,team:dev)",
}

ExcludeKinds = Flag[[]string]{
Name: "exclude-kinds",
ConfigName: "kubernetes.exclude.kinds",
Usage: "indicate the kinds exclude from scanning (example: node)",
}
IncludeKinds = Flag[[]string]{
Name: "include-kinds",
ConfigName: "kubernetes.include.kinds",
Usage: "indicate the kinds included in scanning (example: node)",
}
ExcludeNamespaces = Flag[[]string]{
Name: "exclude-namespaces",
ConfigName: "kubernetes.exclude.namespaces",
Usage: "indicate the namespaces excluded from scanning (example: kube-system)",
}
IncludeNamespaces = Flag[[]string]{
Name: "include-namespaces",
ConfigName: "kubernetes.include.namespaces",
Usage: "indicate the namespaces included in scanning (example: kube-system)",
}
NodeCollectorImageRef = Flag[string]{
Name: "node-collector-imageref",
ConfigName: "kubernetes.node.collector.imageref",
Expand Down Expand Up @@ -106,6 +127,10 @@ type K8sFlagGroup struct {
NodeCollectorNamespace *Flag[string]
ExcludeOwned *Flag[bool]
ExcludeNodes *Flag[[]string]
ExcludeKinds *Flag[[]string]
IncludeKinds *Flag[[]string]
ExcludeNamespaces *Flag[[]string]
IncludeNamespaces *Flag[[]string]
QPS *Flag[float64]
Burst *Flag[int]
}
Expand All @@ -122,6 +147,10 @@ type K8sOptions struct {
NodeCollectorNamespace string
ExcludeOwned bool
ExcludeNodes map[string]string
ExcludeKinds []string
IncludeKinds []string
ExcludeNamespaces []string
IncludeNamespaces []string
QPS float32
Burst int
}
Expand All @@ -138,6 +167,10 @@ func NewK8sFlagGroup() *K8sFlagGroup {
NodeCollectorNamespace: NodeCollectorNamespace.Clone(),
ExcludeOwned: ExcludeOwned.Clone(),
ExcludeNodes: ExcludeNodes.Clone(),
ExcludeKinds: ExcludeKinds.Clone(),
IncludeKinds: IncludeKinds.Clone(),
ExcludeNamespaces: ExcludeNamespaces.Clone(),
IncludeNamespaces: IncludeNamespaces.Clone(),
NodeCollectorImageRef: NodeCollectorImageRef.Clone(),
QPS: QPS.Clone(),
Burst: Burst.Clone(),
Expand All @@ -161,6 +194,10 @@ func (f *K8sFlagGroup) Flags() []Flagger {
f.ExcludeOwned,
f.ExcludeNodes,
f.NodeCollectorImageRef,
f.ExcludeKinds,
f.IncludeKinds,
f.ExcludeNamespaces,
f.IncludeNamespaces,
f.QPS,
f.Burst,
}
Expand All @@ -185,6 +222,12 @@ func (f *K8sFlagGroup) ToOptions() (K8sOptions, error) {
}
exludeNodeLabels[excludeNodeParts[0]] = excludeNodeParts[1]
}
if len(f.ExcludeNamespaces.Value()) > 0 && len(f.IncludeNamespaces.Value()) > 0 {
return K8sOptions{}, fmt.Errorf("include-namespaces and exclude-namespaces flags cannot be used together")
}
if len(f.ExcludeKinds.Value()) > 0 && len(f.IncludeKinds.Value()) > 0 {
return K8sOptions{}, fmt.Errorf("include-kinds and exclude-kinds flags cannot be used together")
}

return K8sOptions{
ClusterContext: f.ClusterContext.Value(),
Expand All @@ -199,6 +242,10 @@ func (f *K8sFlagGroup) ToOptions() (K8sOptions, error) {
ExcludeNodes: exludeNodeLabels,
NodeCollectorImageRef: f.NodeCollectorImageRef.Value(),
QPS: float32(f.QPS.Value()),
ExcludeKinds: f.ExcludeKinds.Value(),
IncludeKinds: f.IncludeKinds.Value(),
ExcludeNamespaces: f.ExcludeNamespaces.Value(),
IncludeNamespaces: f.IncludeNamespaces.Value(),
Burst: f.Burst.Value(),
}, nil
}
Expand Down
11 changes: 9 additions & 2 deletions pkg/k8s/commands/cluster.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,15 @@ func clusterRun(ctx context.Context, opts flag.Options, cluster k8s.Cluster) err
return xerrors.Errorf("get k8s artifacts with node info error: %w", err)
}
case types.FormatJSON, types.FormatTable:
k8sOpts := []trivyk8s.K8sOption{
trivyk8s.WithExcludeNamespaces(opts.ExcludeNamespaces),
trivyk8s.WithIncludeNamespaces(opts.IncludeNamespaces),
trivyk8s.WithExcludeKinds(opts.ExcludeKinds),
trivyk8s.WithIncludeKinds(opts.IncludeKinds),
trivyk8s.WithExcludeOwned(opts.ExcludeOwned),
}
if opts.Scanners.AnyEnabled(types.MisconfigScanner) && slices.Contains(opts.Components, "infra") {
artifacts, err = trivyk8s.New(cluster, log.Logger, trivyk8s.WithExcludeOwned(opts.ExcludeOwned)).ListArtifactAndNodeInfo(ctx,
artifacts, err = trivyk8s.New(cluster, log.Logger, k8sOpts...).ListArtifactAndNodeInfo(ctx,
trivyk8s.WithScanJobNamespace(opts.NodeCollectorNamespace),
trivyk8s.WithIgnoreLabels(opts.ExcludeNodes),
trivyk8s.WithScanJobImageRef(opts.NodeCollectorImageRef),
Expand All @@ -38,7 +45,7 @@ func clusterRun(ctx context.Context, opts flag.Options, cluster k8s.Cluster) err
return xerrors.Errorf("get k8s artifacts with node info error: %w", err)
}
} else {
artifacts, err = trivyk8s.New(cluster, log.Logger).ListArtifacts(ctx)
artifacts, err = trivyk8s.New(cluster, log.Logger, k8sOpts...).ListArtifacts(ctx)
if err != nil {
return xerrors.Errorf("get k8s artifacts error: %w", err)
}
Expand Down

0 comments on commit 4e0f136

Please sign in to comment.